If you want a really neat and free method of doing this, this is a cool plugin. Essentially, it implements the Google Authenticator code for a WordPress site.
http://wordpress.org/extend/plugins/google-authenticator/
Google Authenticator is a free app available for the iPhone, Android, or Blackberry phones. It implements a 2-step verification system with 30 second expiring codes, just like many of those little fob systems you’ve probably used (RSA is well known for these).
The difference is that GA uses an open sourced algorithm. They made the apps available so they could implement it in GMail, but because the algorithm is known, anybody can use it and have the apps work for them too.
The sync process is kinda cool too. Basically it shows you a QR code which you scan with the app and voila, it’s synced.
The plugin implements an extra field on the Login page for the authentication token code instead of having it as a separate step, but the security here is basically the same. Without the password and the device that generates the token, you can’t log in.